Okay, here is my iptables script.
I am unable to test it from my only internal machine because of some configuration problems. Here is my iptables script on my desktop (192.168.1.4) I'm connected to the net through ppp0.
(All the correct modules are compiled into the kernel) Some of those lines may be wrapped over so forget themCode:#!/bin/sh # Begin /etc/rc.d/init.d/firewall # Clearing any existing rules iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -t nat -F # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # allow local-only connections iptables -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones (eg active-ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT iptables -A FORWARD -j LOG # Masquerade the connection (-j MASQUERADE) iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Log everything else: What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT" # set a sane policy: everything not accepted > /dev/null iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Let irc work properly iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification - too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # End /etc/rc.d/init.d/firewall
Now as far as I can work out, this should masq my connections alright. I'm sticking OpenBSD on another computer in the next couple of days and would like to use ports to install a few things over my network. Will this script do masq alright for me?
Thanks!
As far as I can see, the script should work fine. If you want to do full connection tracking you should replace your default accept all OUTPUT and FORWARD rule with a stateful rule using -m state --state NEW, to match your ESTABLISHED and RELATED input rulesets. One thing though, the script does not masq (meaning NAT) your connetion. It does firewall your LAN though.
Hmm.. Okay. What do I need to add to it to get it to masq my connection?
need a iptables/firewalling PET ;D because i havent been able to learn/understand anything ive read for shit =P anyone have something that the newbiest of newbs could understand after reading?
To NAT your connection you need to add this line to your script.
I would make it one of the top most rules.Code:iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Also, if you don't plan on NATting this box, you will need to modify your FORWARD ruleset. Right now its allowing all out going packets from eth0 to ppp0, but it is not allowing any traffic back into the LAN (established, related). If you do NAT this connection, I don't think you will need to worry about forwarding from ppp0 to eth0 (WAN to LAN), since LAN bound packets will be destined for ppp0.
Here is my new (and clearer!) iptables script:
Now, as far as I can work out, NAT should work right? Well for some reason its not. Might it be that I haven't set up my clients properly?Code:#!/bin/sh # Begin /etc/rc.d/init.d/firewall # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable dynamic address hacking echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Clear any existing rules iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -t nat -F # Masquerade the connection iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # free output on any interface to any ip for any service (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Allow all connections out - established ones in iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j LOG # Drop everything not accepted iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Let irc work properly iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT # End /etc/rc.d/init.d/firewall
[edit] Running traceroute tells me that the packets from my client is delivered to my gateway. So my theory is that either the packets are not being allowed back in, or they are not being sent by the gateway.
Any ideas?
I now believe that my script is stopping the packets before they even get out onto the net. I've tried pinging ip addresses but kppp tells me that no bytes went out as I was trying to ping the ip address (The ip was google so I should have been getting a response)
But what is stopping the packets from leaving my gateway?
I feel like I'm talking to myself here but here is my final script to actually works!
I'm still not quite sure why it wouldn't work but I'll try to figure it out later on.Code:#!/bin/sh # Clear any existing rules iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -t nat -F # allow local-only connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT # do masquerading (not needed if intranet is not using private ip-addresses) iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # Log everything for debugging (last of all rules, but before DROP/REJECT) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -j ACCEPT # set a sane policy iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn # activate TCPsyncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies # activate Route-Verification = IP-Spoofing_protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # activate IP-Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
So the last script works right? If so, I would imagine that the problem was corrected by the NEW state in your forward rulesset. The other scripts did not allow for packets other than established and related to pass from one interface to the next. Since no NEW packets could be forwarded through your box, no connections could be established to begin with. Remember, packets with a new state are the first part of the tcp/i three-way handshake.
Whenever I debug firewalls I log everything to the console and create different log prefixes for different rulessets so I can see at what point things are failing.
One question though. When you flush the default policy at the beginning of your script, you still have
Did you want this to be accept?Code:iptables -P FORWARD DROP iptables -F FORWARD
Another good thing to do is have a freind nmap your external interface, in addition to trying to connect to internal servers or scan beyond your firewall, just to make sure for a fact your firewall is working.
I once built a firewall, but screwed up my forwarding ruleset. Since my input ruleset was working correctly, nmapping the external interface showed that packets were being rejected. At this point I said "ok everything works fine." However, a week later, I was able to hit internal webservers from the extranet and only then did it dawn on my that I had misconfigured my forward ruleset and that my firewall was esentially a POS.
Posting Permissions
Reply With Quote
Bookmarks